Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.
The structure of an ACE
To stay behind the scenes, let's take a quick look at the basic structure of Windows 2000's generic and object-specific ACE types. All three generic ACE types share the same structure, which Figure 5.11 shows.
Figure 5.11: The structure of a generic ACE.
- ACE Size -- Specifies the size of the entire ACE in bytes.
- ACE Type -- Specifies whether the ACE allows, denies, or monitors access to an object.
- Inheritance and Audit Flags -- Control the auditing and inheritance aspects of the ACE.
- Access Mask -- Is an ACE type-specific value composed of 32 bits that correspond to the access rights of the object.
- SID -- Identifies the account or group that the ACE should be applied to. The three object-specific ACE types use the structure that Figure 5.12 shows.
The three object-specific ACE types use the structure that Figure 5.12 shows.
Figure 5.12: The structure of an object-specific ACE.
The fields for ACE Size, ACE Type, Inheritance and Audit Flags, Access Mask, and SID are identical to those of the generic ACE structure. The real differences between the generic and object-specific ACE structure lie in the Object Type, Inherited Object Type and Object Flags fields.
- Object Type -- If present, contains a GUID that is used to represent a type of child object, an attribute or attribute set, or an extended right.
- Inherited Object Type -- If present, contains a GUID that specifies which child objects can inherit the ACE.
- Object Flags -- Indicate whether the Object Type or Inherited Object Type field is actually present in the ACE structure.
Click for the next excerpt in this series: ACE inheritance
Click for the book excerpt series or get the full e-book.